metamorpherrat | 61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674

General

Target

61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe
Size

78KB
MD5

e794099d8547311d8493c5976c0f9c80
SHA1

f8689fc50899d419dff3c5b328bb2a70acb9b6d3
SHA256

61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674
SHA512

1af2826eb2bdffcdf0671c2a2b12cf141da727f4afd74d2883fb5d27889092087fe7df7034c97d3bc168f7f88dbd4886fbe669bec1ccbb0dcb8d612a9bc99e21
SSDEEP

1536:0StHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte679/ih1a3:0StHFo53Ln7N041Qqhge679/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	tmp1AA7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp1AA7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1AA7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe
Token: SeDebugPrivilege	1480	tmp1AA7.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 4832	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	86
PID 1248 wrote to memory of 4832	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	86
PID 1248 wrote to memory of 4832	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	86
PID 4832 wrote to memory of 644	4832	vbc.exe	89
PID 4832 wrote to memory of 644	4832	vbc.exe	89
PID 4832 wrote to memory of 644	4832	vbc.exe	89
PID 1248 wrote to memory of 1480	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	91
PID 1248 wrote to memory of 1480	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	91
PID 1248 wrote to memory of 1480	1248	61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe	91

C:\Users\Admin\AppData\Local\Temp\61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe
"C:\Users\Admin\AppData\Local\Temp\61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7_prahgx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAB0E31C9AAC474BACC7FCD6A4B9D265.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- C:\Users\Admin\AppData\Local\Temp\tmp1AA7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1AA7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61149f8e521c84b13103f5c26f857aa19de3ff0d6777eee5d34a08a21e961674N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7_prahgx.0.vb

Filesize
15KB

MD5
32518f2d5e7ce17a2609a2715216a9f8

SHA1
b30da339bed304351acff0661d4a38ea6335e786

SHA256
a3b88fc583ade852fc9e3724696aca0a75028dbd39b361a33979a15208e4d489

SHA512
0ab2eab26875423de1891c05501197f72dda4dabbd7a1b5b60faa91eb67bc09acec8e263710ad859822fa5471b927f36ad4fbc8e70e9dfcf41a1645344c8c6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_prahgx.cmdline

Filesize
266B

MD5
7406e2eccf664c0c5c584d742e35eac9

SHA1
eeac143d3e94a16acc64e5e2fe7d068802eb495d

SHA256
46e89917a1380eb1c309f43b698c173cc9557fe47f0e83f0b02134cc959e906d

SHA512
68a29a8eb32cdb9b09a51ed74a57ae47e89f30011149fb41b27b2e82dcbe6b9f55f7d9b9e34369ea9d80912b8f05cdd162f380bfc3c826e062b5a029e72491e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1DF3.tmp

Filesize
1KB

MD5
7347b5141021f5a95b8dc89f833fe5bc

SHA1
11e432b6615498dfe2fd8a63d1f25fd37b6306a6

SHA256
c99d1f196e977e143e26117228bad3a459c68541e4a55b996591eb4cf63ffc60

SHA512
e40949e7ca59aa08a4f3c899d7663dd10963b06156da13a08ecb57421daf69ddf5ccce5cbc6bf8b1bb2d0ed37c5fd14e4253ca48065c6fed0dfbdb9928299672

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AA7.tmp.exe

Filesize
78KB

MD5
a5237e4e56d254f178e3e299f9cd59d2

SHA1
83d70c5a6c2788554c5efe8c274f46f48c4a8d3b

SHA256
3471c67de14ba4484a728bccf45602137951cb49da88d00816d49630df3543dd

SHA512
791d57c0ad1409142a4178cf808e9aaac17d128b6929a28c76539a7731fdadcb9cb1e491e01b8ae7c85e15b18ba9f229450e282094fc973ee194edaa6804f2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAB0E31C9AAC474BACC7FCD6A4B9D265.TMP

Filesize
660B

MD5
4ff28cb5c06c19727edbc290416f4fa9

SHA1
f70285411525a01774be19a6b719f6de6f4da747

SHA256
15e26f3a562c8d7c1c4e288dc22b7159e2ca3e4016ddde8efa8bb0c6c76254e3

SHA512
190b3cfd97671d2cb483a7e3dc7d4ab6dc3ec45622102cc18a6f3f26a1083d92fc26ebb4b8c6ad87b2df00acff95481b66066408114d6cfe44b93326764c2455

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1248-1-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1248-2-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1248-0-0x0000000074F82000-0x0000000074F83000-memory.dmp

Filesize
4KB

Download
memory/1248-22-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1480-24-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1480-23-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1480-26-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1480-27-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1480-28-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/4832-18-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/4832-9-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads